Analysis
-
max time kernel
120s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
26-12-2024 10:28
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
87992b4d6330927f8db3636b34c5d0f05c3b71af81fb8eed302e5411bfa768a4.exe
Resource
win7-20240708-en
windows7-x64
7 signatures
120 seconds
General
-
Target
87992b4d6330927f8db3636b34c5d0f05c3b71af81fb8eed302e5411bfa768a4.exe
-
Size
453KB
-
MD5
d99bf23c3d7cf717def0c4bd261d4242
-
SHA1
8837f5f8034cff3e2999ed78407be44f5c329717
-
SHA256
87992b4d6330927f8db3636b34c5d0f05c3b71af81fb8eed302e5411bfa768a4
-
SHA512
79fc0e22b12508b5aebba0f6a9f4da349f906a807504b70589b41a0e209ac964bf447fcd67d9c7a779a264b2e8cdca09f6e971215b6ff088c9de74d74dded595
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbed:q7Tc2NYHUrAwfMp3CDd
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 54 IoCs
resource yara_rule behavioral1/memory/1728-1-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1528-15-0x00000000002A0000-0x00000000002CA000-memory.dmp family_blackmoon behavioral1/memory/1528-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2152-27-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2988-38-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2800-50-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2800-56-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2752-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2860-76-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1808-96-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2668-105-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/672-124-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2172-115-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2108-132-0x00000000003D0000-0x00000000003FA000-memory.dmp family_blackmoon behavioral1/memory/2576-143-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1676-167-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2984-176-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2096-193-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1344-221-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2008-230-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1828-238-0x0000000000250000-0x000000000027A000-memory.dmp family_blackmoon behavioral1/memory/1828-240-0x0000000000250000-0x000000000027A000-memory.dmp family_blackmoon behavioral1/memory/2992-261-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2492-259-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2492-257-0x0000000000430000-0x000000000045A000-memory.dmp family_blackmoon behavioral1/memory/2500-279-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1964-297-0x0000000077240000-0x000000007735F000-memory.dmp family_blackmoon behavioral1/memory/1964-298-0x0000000077360000-0x000000007745A000-memory.dmp family_blackmoon behavioral1/memory/2412-307-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2788-323-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2424-322-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2748-349-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1808-386-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1328-446-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1328-449-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3008-488-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2060-502-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2468-505-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2468-510-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1512-536-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1576-576-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2568-595-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2424-602-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/768-685-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2080-795-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/3040-802-0x0000000000230000-0x000000000025A000-memory.dmp family_blackmoon behavioral1/memory/556-809-0x00000000002B0000-0x00000000002DA000-memory.dmp family_blackmoon behavioral1/memory/1740-838-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2148-858-0x00000000005C0000-0x00000000005EA000-memory.dmp family_blackmoon behavioral1/memory/2148-860-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2156-877-0x0000000000270000-0x000000000029A000-memory.dmp family_blackmoon behavioral1/memory/2996-905-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1700-1011-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2448-1049-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1528 bbbbht.exe 2152 djdpj.exe 2988 7ddjj.exe 2144 48842.exe 2800 lrlflrf.exe 2752 3flxlxx.exe 2860 6006442.exe 2692 226862.exe 1808 486844.exe 2668 nnhbhn.exe 2172 608088.exe 672 rflxrxf.exe 2108 6046486.exe 2132 9xrfllr.exe 2576 fxxxlrf.exe 2952 26468.exe 1676 g0406.exe 2984 08628.exe 2700 3bhtnt.exe 2096 thbbhn.exe 1648 864668.exe 3020 3tntbn.exe 1344 s8624.exe 2008 824022.exe 1828 42468.exe 1768 080662.exe 2492 ddppv.exe 2992 lfxlrlx.exe 700 860240.exe 2500 xlxlxfr.exe 1508 xxfffxf.exe 1964 hhbnbn.exe 2412 jvvpd.exe 2424 2022286.exe 2788 048684.exe 2268 hbbhhh.exe 2824 046284.exe 2748 w60622.exe 2916 ppddv.exe 2760 1httbh.exe 2848 8264624.exe 2792 426244.exe 2620 8884246.exe 1808 0428006.exe 2668 jdvdv.exe 2648 20468.exe 2172 bthtbh.exe 1136 9nbhhh.exe 1088 9lxxfrl.exe 1756 rlfrfrf.exe 2368 3pjdp.exe 2844 826206.exe 2904 ddvpj.exe 1328 9vpvd.exe 1676 604424.exe 2076 dddpd.exe 2324 88886.exe 1920 08624.exe 548 vdvdj.exe 3008 ttnbnb.exe 1608 ttnntb.exe 2060 vdvdd.exe 2468 3rlrrxf.exe 1644 jjdpp.exe -
resource yara_rule behavioral1/memory/1728-1-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1528-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2152-27-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2144-39-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2988-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2800-50-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2752-58-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2752-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2860-76-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2692-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1808-96-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2668-105-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/672-124-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2172-115-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2576-143-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2984-168-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1676-167-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2984-176-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2096-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1344-221-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2008-230-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1828-238-0x0000000000250000-0x000000000027A000-memory.dmp upx behavioral1/memory/2992-261-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2492-259-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2500-279-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1964-297-0x0000000077240000-0x000000007735F000-memory.dmp upx behavioral1/memory/2412-307-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2788-323-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2424-322-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2748-349-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1808-386-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1328-449-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3008-488-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1608-489-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2060-502-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2468-505-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2468-510-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/856-517-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1512-536-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2088-537-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1576-576-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1576-574-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2568-595-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3000-621-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3000-648-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/768-685-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1344-770-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1816-783-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3040-804-0x0000000000230000-0x000000000025A000-memory.dmp upx behavioral1/memory/3032-812-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3032-818-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1812-826-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2148-860-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2592-936-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2236-998-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1700-1011-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1396-1036-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0468006.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrlfrfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 804422.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrllrrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8246288.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6040224.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6626806.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppjpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrrlffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language s8680.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i884060.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvpvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0424064.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrlxrxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7ddjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrllxxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjvjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 000206.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 886240.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1728 wrote to memory of 1528 1728 87992b4d6330927f8db3636b34c5d0f05c3b71af81fb8eed302e5411bfa768a4.exe 30 PID 1728 wrote to memory of 1528 1728 87992b4d6330927f8db3636b34c5d0f05c3b71af81fb8eed302e5411bfa768a4.exe 30 PID 1728 wrote to memory of 1528 1728 87992b4d6330927f8db3636b34c5d0f05c3b71af81fb8eed302e5411bfa768a4.exe 30 PID 1728 wrote to memory of 1528 1728 87992b4d6330927f8db3636b34c5d0f05c3b71af81fb8eed302e5411bfa768a4.exe 30 PID 1528 wrote to memory of 2152 1528 bbbbht.exe 31 PID 1528 wrote to memory of 2152 1528 bbbbht.exe 31 PID 1528 wrote to memory of 2152 1528 bbbbht.exe 31 PID 1528 wrote to memory of 2152 1528 bbbbht.exe 31 PID 2152 wrote to memory of 2988 2152 djdpj.exe 32 PID 2152 wrote to memory of 2988 2152 djdpj.exe 32 PID 2152 wrote to memory of 2988 2152 djdpj.exe 32 PID 2152 wrote to memory of 2988 2152 djdpj.exe 32 PID 2988 wrote to memory of 2144 2988 7ddjj.exe 33 PID 2988 wrote to memory of 2144 2988 7ddjj.exe 33 PID 2988 wrote to memory of 2144 2988 7ddjj.exe 33 PID 2988 wrote to memory of 2144 2988 7ddjj.exe 33 PID 2144 wrote to memory of 2800 2144 48842.exe 34 PID 2144 wrote to memory of 2800 2144 48842.exe 34 PID 2144 wrote to memory of 2800 2144 48842.exe 34 PID 2144 wrote to memory of 2800 2144 48842.exe 34 PID 2800 wrote to memory of 2752 2800 lrlflrf.exe 35 PID 2800 wrote to memory of 2752 2800 lrlflrf.exe 35 PID 2800 wrote to memory of 2752 2800 lrlflrf.exe 35 PID 2800 wrote to memory of 2752 2800 lrlflrf.exe 35 PID 2752 wrote to memory of 2860 2752 3flxlxx.exe 36 PID 2752 wrote to memory of 2860 2752 3flxlxx.exe 36 PID 2752 wrote to memory of 2860 2752 3flxlxx.exe 36 PID 2752 wrote to memory of 2860 2752 3flxlxx.exe 36 PID 2860 wrote to memory of 2692 2860 6006442.exe 37 PID 2860 wrote to memory of 2692 2860 6006442.exe 37 PID 2860 wrote to memory of 2692 2860 6006442.exe 37 PID 2860 wrote to memory of 2692 2860 6006442.exe 37 PID 2692 wrote to memory of 1808 2692 226862.exe 38 PID 2692 wrote to memory of 1808 2692 226862.exe 38 PID 2692 wrote to memory of 1808 2692 226862.exe 38 PID 2692 wrote to memory of 1808 2692 226862.exe 38 PID 1808 wrote to memory of 2668 1808 486844.exe 39 PID 1808 wrote to memory of 2668 1808 486844.exe 39 PID 1808 wrote to memory of 2668 1808 486844.exe 39 PID 1808 wrote to memory of 2668 1808 486844.exe 39 PID 2668 wrote to memory of 2172 2668 nnhbhn.exe 40 PID 2668 wrote to memory of 2172 2668 nnhbhn.exe 40 PID 2668 wrote to memory of 2172 2668 nnhbhn.exe 40 PID 2668 wrote to memory of 2172 2668 nnhbhn.exe 40 PID 2172 wrote to memory of 672 2172 608088.exe 41 PID 2172 wrote to memory of 672 2172 608088.exe 41 PID 2172 wrote to memory of 672 2172 608088.exe 41 PID 2172 wrote to memory of 672 2172 608088.exe 41 PID 672 wrote to memory of 2108 672 rflxrxf.exe 42 PID 672 wrote to memory of 2108 672 rflxrxf.exe 42 PID 672 wrote to memory of 2108 672 rflxrxf.exe 42 PID 672 wrote to memory of 2108 672 rflxrxf.exe 42 PID 2108 wrote to memory of 2132 2108 6046486.exe 43 PID 2108 wrote to memory of 2132 2108 6046486.exe 43 PID 2108 wrote to memory of 2132 2108 6046486.exe 43 PID 2108 wrote to memory of 2132 2108 6046486.exe 43 PID 2132 wrote to memory of 2576 2132 9xrfllr.exe 44 PID 2132 wrote to memory of 2576 2132 9xrfllr.exe 44 PID 2132 wrote to memory of 2576 2132 9xrfllr.exe 44 PID 2132 wrote to memory of 2576 2132 9xrfllr.exe 44 PID 2576 wrote to memory of 2952 2576 fxxxlrf.exe 45 PID 2576 wrote to memory of 2952 2576 fxxxlrf.exe 45 PID 2576 wrote to memory of 2952 2576 fxxxlrf.exe 45 PID 2576 wrote to memory of 2952 2576 fxxxlrf.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\87992b4d6330927f8db3636b34c5d0f05c3b71af81fb8eed302e5411bfa768a4.exe"C:\Users\Admin\AppData\Local\Temp\87992b4d6330927f8db3636b34c5d0f05c3b71af81fb8eed302e5411bfa768a4.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1728 -
\??\c:\bbbbht.exec:\bbbbht.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1528 -
\??\c:\djdpj.exec:\djdpj.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2152 -
\??\c:\7ddjj.exec:\7ddjj.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2988 -
\??\c:\48842.exec:\48842.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2144 -
\??\c:\lrlflrf.exec:\lrlflrf.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2800 -
\??\c:\3flxlxx.exec:\3flxlxx.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2752 -
\??\c:\6006442.exec:\6006442.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2860 -
\??\c:\226862.exec:\226862.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2692 -
\??\c:\486844.exec:\486844.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1808 -
\??\c:\nnhbhn.exec:\nnhbhn.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2668 -
\??\c:\608088.exec:\608088.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2172 -
\??\c:\rflxrxf.exec:\rflxrxf.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:672 -
\??\c:\6046486.exec:\6046486.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2108 -
\??\c:\9xrfllr.exec:\9xrfllr.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2132 -
\??\c:\fxxxlrf.exec:\fxxxlrf.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2576 -
\??\c:\26468.exec:\26468.exe17⤵
- Executes dropped EXE
PID:2952 -
\??\c:\g0406.exec:\g0406.exe18⤵
- Executes dropped EXE
PID:1676 -
\??\c:\08628.exec:\08628.exe19⤵
- Executes dropped EXE
PID:2984 -
\??\c:\3bhtnt.exec:\3bhtnt.exe20⤵
- Executes dropped EXE
PID:2700 -
\??\c:\thbbhn.exec:\thbbhn.exe21⤵
- Executes dropped EXE
PID:2096 -
\??\c:\864668.exec:\864668.exe22⤵
- Executes dropped EXE
PID:1648 -
\??\c:\3tntbn.exec:\3tntbn.exe23⤵
- Executes dropped EXE
PID:3020 -
\??\c:\s8624.exec:\s8624.exe24⤵
- Executes dropped EXE
PID:1344 -
\??\c:\824022.exec:\824022.exe25⤵
- Executes dropped EXE
PID:2008 -
\??\c:\42468.exec:\42468.exe26⤵
- Executes dropped EXE
PID:1828 -
\??\c:\080662.exec:\080662.exe27⤵
- Executes dropped EXE
PID:1768 -
\??\c:\ddppv.exec:\ddppv.exe28⤵
- Executes dropped EXE
PID:2492 -
\??\c:\lfxlrlx.exec:\lfxlrlx.exe29⤵
- Executes dropped EXE
PID:2992 -
\??\c:\860240.exec:\860240.exe30⤵
- Executes dropped EXE
PID:700 -
\??\c:\xlxlxfr.exec:\xlxlxfr.exe31⤵
- Executes dropped EXE
PID:2500 -
\??\c:\xxfffxf.exec:\xxfffxf.exe32⤵
- Executes dropped EXE
PID:1508 -
\??\c:\hhbnbn.exec:\hhbnbn.exe33⤵
- Executes dropped EXE
PID:1964 -
\??\c:\20444.exec:\20444.exe34⤵PID:1596
-
\??\c:\jvvpd.exec:\jvvpd.exe35⤵
- Executes dropped EXE
PID:2412 -
\??\c:\2022286.exec:\2022286.exe36⤵
- Executes dropped EXE
PID:2424 -
\??\c:\048684.exec:\048684.exe37⤵
- Executes dropped EXE
PID:2788 -
\??\c:\hbbhhh.exec:\hbbhhh.exe38⤵
- Executes dropped EXE
PID:2268 -
\??\c:\046284.exec:\046284.exe39⤵
- Executes dropped EXE
PID:2824 -
\??\c:\w60622.exec:\w60622.exe40⤵
- Executes dropped EXE
PID:2748 -
\??\c:\ppddv.exec:\ppddv.exe41⤵
- Executes dropped EXE
PID:2916 -
\??\c:\1httbh.exec:\1httbh.exe42⤵
- Executes dropped EXE
PID:2760 -
\??\c:\8264624.exec:\8264624.exe43⤵
- Executes dropped EXE
PID:2848 -
\??\c:\426244.exec:\426244.exe44⤵
- Executes dropped EXE
PID:2792 -
\??\c:\8884246.exec:\8884246.exe45⤵
- Executes dropped EXE
PID:2620 -
\??\c:\0428006.exec:\0428006.exe46⤵
- Executes dropped EXE
PID:1808 -
\??\c:\jdvdv.exec:\jdvdv.exe47⤵
- Executes dropped EXE
PID:2668 -
\??\c:\20468.exec:\20468.exe48⤵
- Executes dropped EXE
PID:2648 -
\??\c:\bthtbh.exec:\bthtbh.exe49⤵
- Executes dropped EXE
PID:2172 -
\??\c:\9nbhhh.exec:\9nbhhh.exe50⤵
- Executes dropped EXE
PID:1136 -
\??\c:\9lxxfrl.exec:\9lxxfrl.exe51⤵
- Executes dropped EXE
PID:1088 -
\??\c:\rlfrfrf.exec:\rlfrfrf.exe52⤵
- Executes dropped EXE
PID:1756 -
\??\c:\3pjdp.exec:\3pjdp.exe53⤵
- Executes dropped EXE
PID:2368 -
\??\c:\826206.exec:\826206.exe54⤵
- Executes dropped EXE
PID:2844 -
\??\c:\ddvpj.exec:\ddvpj.exe55⤵
- Executes dropped EXE
PID:2904 -
\??\c:\9vpvd.exec:\9vpvd.exe56⤵
- Executes dropped EXE
PID:1328 -
\??\c:\604424.exec:\604424.exe57⤵
- Executes dropped EXE
PID:1676 -
\??\c:\dddpd.exec:\dddpd.exe58⤵
- Executes dropped EXE
PID:2076 -
\??\c:\88886.exec:\88886.exe59⤵
- Executes dropped EXE
PID:2324 -
\??\c:\08624.exec:\08624.exe60⤵
- Executes dropped EXE
PID:1920 -
\??\c:\vdvdj.exec:\vdvdj.exe61⤵
- Executes dropped EXE
PID:548 -
\??\c:\ttnbnb.exec:\ttnbnb.exe62⤵
- Executes dropped EXE
PID:3008 -
\??\c:\ttnntb.exec:\ttnntb.exe63⤵
- Executes dropped EXE
PID:1608 -
\??\c:\vdvdd.exec:\vdvdd.exe64⤵
- Executes dropped EXE
PID:2060 -
\??\c:\3rlrrxf.exec:\3rlrrxf.exe65⤵
- Executes dropped EXE
PID:2468 -
\??\c:\jjdpp.exec:\jjdpp.exe66⤵
- Executes dropped EXE
PID:1644 -
\??\c:\0862402.exec:\0862402.exe67⤵PID:856
-
\??\c:\pjdpd.exec:\pjdpd.exe68⤵PID:556
-
\??\c:\7fxlxfl.exec:\7fxlxfl.exe69⤵PID:1512
-
\??\c:\pvvjd.exec:\pvvjd.exe70⤵PID:2088
-
\??\c:\fxxrflx.exec:\fxxrflx.exe71⤵PID:1500
-
\??\c:\tnntbb.exec:\tnntbb.exe72⤵PID:1168
-
\??\c:\btbhnb.exec:\btbhnb.exe73⤵PID:1860
-
\??\c:\7jpjj.exec:\7jpjj.exe74⤵PID:3064
-
\??\c:\vpjpd.exec:\vpjpd.exe75⤵PID:1576
-
\??\c:\0428664.exec:\0428664.exe76⤵PID:2528
-
\??\c:\1rrfxfx.exec:\1rrfxfx.exe77⤵PID:2516
-
\??\c:\0620468.exec:\0620468.exe78⤵PID:2568
-
\??\c:\s8680.exec:\s8680.exe79⤵
- System Location Discovery: System Language Discovery
PID:2424 -
\??\c:\jjpdv.exec:\jjpdv.exe80⤵PID:2140
-
\??\c:\040240.exec:\040240.exe81⤵PID:2268
-
\??\c:\26840.exec:\26840.exe82⤵PID:2696
-
\??\c:\5frxfxr.exec:\5frxfxr.exe83⤵PID:3000
-
\??\c:\c480802.exec:\c480802.exe84⤵PID:2820
-
\??\c:\ddvjp.exec:\ddvjp.exe85⤵PID:2924
-
\??\c:\hhtbtb.exec:\hhtbtb.exe86⤵PID:2736
-
\??\c:\i228068.exec:\i228068.exe87⤵PID:2616
-
\??\c:\lfxlxfx.exec:\lfxlxfx.exe88⤵PID:2660
-
\??\c:\jjvdd.exec:\jjvdd.exe89⤵PID:2052
-
\??\c:\hbtbht.exec:\hbtbht.exe90⤵PID:2352
-
\??\c:\2080880.exec:\2080880.exe91⤵PID:876
-
\??\c:\9hhhtb.exec:\9hhhtb.exe92⤵PID:768
-
\??\c:\3pdjp.exec:\3pdjp.exe93⤵PID:840
-
\??\c:\rrlrxlx.exec:\rrlrxlx.exe94⤵PID:2976
-
\??\c:\k68806.exec:\k68806.exe95⤵PID:2672
-
\??\c:\nthbhn.exec:\nthbhn.exe96⤵PID:2888
-
\??\c:\7nhhnb.exec:\7nhhnb.exe97⤵PID:2964
-
\??\c:\1pjvp.exec:\1pjvp.exe98⤵PID:2904
-
\??\c:\8886486.exec:\8886486.exe99⤵PID:1076
-
\??\c:\hnhbnt.exec:\hnhbnt.exe100⤵PID:1908
-
\??\c:\nnbntb.exec:\nnbntb.exe101⤵PID:2984
-
\??\c:\60468.exec:\60468.exe102⤵PID:688
-
\??\c:\xrrxllx.exec:\xrrxllx.exe103⤵PID:444
-
\??\c:\9tbnbt.exec:\9tbnbt.exe104⤵PID:1920
-
\??\c:\rrlxxlx.exec:\rrlxxlx.exe105⤵PID:2032
-
\??\c:\646288.exec:\646288.exe106⤵PID:1864
-
\??\c:\u602228.exec:\u602228.exe107⤵PID:1344
-
\??\c:\s2068.exec:\s2068.exe108⤵PID:1368
-
\??\c:\i408484.exec:\i408484.exe109⤵PID:1816
-
\??\c:\g8460.exec:\g8460.exe110⤵PID:2080
-
\??\c:\64628.exec:\64628.exe111⤵PID:3040
-
\??\c:\u084624.exec:\u084624.exe112⤵PID:556
-
\??\c:\442844.exec:\442844.exe113⤵PID:3032
-
\??\c:\o460006.exec:\o460006.exe114⤵PID:1604
-
\??\c:\20402.exec:\20402.exe115⤵PID:1812
-
\??\c:\hthnnn.exec:\hthnnn.exe116⤵PID:1740
-
\??\c:\ddvdv.exec:\ddvdv.exe117⤵PID:3064
-
\??\c:\k40028.exec:\k40028.exe118⤵PID:1596
-
\??\c:\nhthtt.exec:\nhthtt.exe119⤵PID:2148
-
\??\c:\6084624.exec:\6084624.exe120⤵PID:2556
-
\??\c:\rxxlrll.exec:\rxxlrll.exe121⤵PID:2788
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-